Hackers compromised some Zola user accounts to buy gift cards

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems.

The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards.

In a statement given to TechCrunch, Zola spokesperson Emily Forrest said that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials.

“The vast majority of Zola couples were not impacted, but we are deeply apologetic to those who detected any irregular account activity,” Forrest said. “Our team acted as quickly as possible to protect our community of couples and guests, and we were able to block all attempted fraudulent transfers.”

TechCrunch has seen posts from a Telegram channel showing members discussing and posting screenshots accessing user accounts through the Zola app. One of the messages in the Telegram chat says to “make sure” to use the app and not the site. The partially redacted screenshots show the hackers ordering gift cards from a user’s account — including using the credit card on file with Zola — which are sent to the hackers’ email address after the order is placed. Gift cards are often the go-to choice for cybercriminals because they can be notoriously difficult to trace.

Zola confirmed the gift card orders and said the company is “quickly working” to correct them. “The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day,” Forrest told TechCrunch. “Any action that a couple did not take will be corrected.”

Zola said it temporarily suspended its iOS and Android apps during the incident, and reset all user passwords out of an “abundance of caution.”

Zola said fewer than 0.1% of accounts were compromised but would not say specifically how many users that equates to. Zola also declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

“Our support team is working tirelessly to respond to every impacted customer, and we truly appreciate their patience,” Forrest added. “We guarantee that any outstanding customer issues will be resolved and addressed.”

In a tweet, the company urged users who have seen funds stolen or fraudulent transactions to email its support team. Forrest told TechCrunch that “all funds, credit cards, and bank info continue to be protected” and that “all cash funds have been restored”.

Updated with additional comment from Zola.

If you work at Zola or know more about the security incident, get in touch with the security desk on Signal at +44 1536 853968.